13425 – perl-LWP-Protocol-https new security issue CVE-2014-3230

Bug 13425 - perl-LWP-Protocol-https new security issue CVE-2014-3230

Summary: perl-LWP-Protocol-https new security issue CVE-2014-3230

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/599970/
Whiteboard:	has_procedure advisory mga4-32-ok mga...
Keywords:	validated_update

Duplicates (1):	13340 (view as bug list)
Depends on:
Blocks:

Reported:	2014-05-22 18:02 CEST by David Walser
Modified:	2014-06-06 19:51 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	perl-LWP-Protocol-https-6.40.0-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-05-22 18:02:11 CEST

Fedora has issued an advisory on May 13:
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133535.html

They fixed it by adding two patches in this commit:
http://pkgs.fedoraproject.org/cgit/perl-LWP-Protocol-https.git/commit/?h=f20&id=3d177ad2c43908ce407a1bca5de3be0569ed7041

The commit for Fedora 19 has a third patch for "backward compatibility."
More details on its purpose in RedHat Bugzilla:
http://pkgs.fedoraproject.org/cgit/perl-LWP-Protocol-https.git/commit/?h=f19&id=c429e72946cb0f3f39dcefdd4a109b225c9a756a
https://bugzilla.redhat.com/show_bug.cgi?id=1094440#c11

I'm not sure if our IO::Socket::SSL is old enough to need the third patch.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-05-22 18:02:18 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-05-23 15:14:27 CEST

The RedHat bug said that versions prior to 6.04 were not affected, but OpenSuSE released an update for 6.03 (which we have in Mageia 3) for OpenSuSE 12.3 for this, so it may be affected:
http://lists.opensuse.org/opensuse-updates/2014-05/msg00072.html

Comment 2 Jerome Quelin 2014-06-02 15:32:06 CEST

cauldron updated.
perl-LWP-Protocol-https-6.40.0-2.1.mga4 available in core/updates_testing

we shouldn't need the IO::Socket::SSL patch, it's only needed for versions priori to 1.950, while we should have 1.955 in mga4.

Proposed advisory (taken from redhat):
================
This release fixes a server certification validation when a certificate authority is defined by HTTPS_CA_DIR or HTTPS_CA_FILE environement variable.
================

please test & validate.

CC: (none) => jquelin
Assignee: jquelin => qa-bugs

Comment 3 Jerome Quelin 2014-06-02 15:34:14 CEST

*** Bug 13340 has been marked as a duplicate of this bug. ***

Comment 4 David Walser 2014-06-02 15:34:56 CEST

Thanks Jerome.  Do you have any idea about whether an update for Mageia 3 is necessary, given Comment 1?  If so, the IO::Socket::SSL patch would be needed there.

Comment 5 Jerome Quelin 2014-06-02 15:42:40 CEST

Given that Debian, who found the bug + proposed the patch, only talks about 6.04 (and never ever mention 6.03), I'd say that we're good.
(Note that I didn't look at the code itself, neither at the patch.)

Comment 6 David Walser 2014-06-02 15:44:12 CEST

(In reply to David Walser from comment #4)
> Thanks Jerome.  Do you have any idea about whether an update for Mageia 3 is
> necessary, given Comment 1?  If so, the IO::Socket::SSL patch would be
> needed there.

All the information I can find says only 6.04 and newer are affected.  I downloaded the SRPM for the OpenSuSE 12.3 update and it looks like it's not actually a CVE fix, just updating that OpenSuSE release from 6.02 to 6.03.

Comment 7 David Walser 2014-06-02 15:48:04 CEST

Advisory:
========================

Updated perl-LWP-Protocol-https package fixes security vulnerability:

It was reported that libwww-perl (LWP), when using IO::Socket::SSL (the
default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables
were set, would disable server certificate verification, when the intent was
to only disable hostname verification (CVE-2014-3230).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3230
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133535.html
========================

Updated packages in core/updates_testing:
========================
perl-LWP-Protocol-https-6.40.0-2.1.mga4

from perl-LWP-Protocol-https-6.40.0-2.1.mga4.src.rpm

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 8 claire robinson 2014-06-06 17:06:33 CEST

Testing complete mga4 32 & 64 using the test case attached here:
https://bugzilla.redhat.com/show_bug.cgi?id=1094440

Before
------
$ perl testcase.pl
... runs it's tests and ends with message ...
# Looks like you failed 1 test of 16.

It actually failed on test 10..
not ok 10 - variable to wrong CA should fail: 200 Ok

After
-----
$ perl testcase.pl
... runs it's tests and ends without any failure message.

Test 10 now shows..
ok 10 - variable to wrong CA should fail: 500 Can't connect to 127.0.0.1:36272 (certificate verify failed)

Whiteboard: (none) => has_procedure mga4-32-ok mga4-64-ok

Comment 9 claire robinson 2014-06-06 17:09:33 CEST

Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-06-06 19:51:42 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2014-0257.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.